Filter winlogbeat by eventID


I am sending wineventlogs to logstash at about 60k/m and we need to send about 100 matching eventID's to an output.

It would be ugly to add 100 or statements to this filter and just wondering what the best way might be from a management and performance standpoint.

if [type]=="wineventlog" and "DC" in [tags] {

Did you try this in winlogbeat config?
Enter EventID you need look like :slight_smile:

  - name: Security
    event_id: 4624, 4625, 4700-4800, -4735

Yea looked at that but it doesn't fit the business need.

I want to use logstash as my traffic cop.

  • Everything goes to ES
  • Critical events go to our monitoring solution.
  • Specific event ID's go to our SAS solution for PCI.

The first two are easy but the 3rd I have a list of about 100 event ID's to target.

I know this is might be a bit longwinded but something like this should work:

output {
  if [field] =~ "(EventID1|EventID2|EventID3|etc...)" {
    output config....

Yep that would do it,
Was hoping to find a way to pull out the list into a macro or something.

Like if [event_it] in $list type of expression so the list could be a managed flat file or something.

Thanks Walker i'll post results.

Based on the example documentation, it looks like you can use ranges as well. You may also be able to use regex or wildcard. I've not tried to get as granular as you are going so I don't really know what's possible.

Using eventcreate on windows to create an windows event_id of 999. I can see it in the debug logs and I can see it if I write it out to file without the filter but I CANNOT seem to get this rule to fire.
Any help would be appreciated.

  if [type]=="wineventlog" and [event_id]=="999" {
     file {
     path => "/opt/logs/logstash/%{host}-eventid.json"
     codec => "json_lines"
  if [type]=="wineventlog" and "DC" in [tags] {
    tcp {
    host => "loghost"
    port => "5142"
    mode => "client"
    codec => "json_lines"

Update: Found a reply from Magnus Bäck on another post. event_id is a numeric type 'm' so you are required to used a non string match.
The question is how can I match multiple values.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.